mpgn @mpgn_x64 Twitter profile

Last Seen Profiles

@DashLong_8

@tpnkrv

@HannoSettele

@free_makoto117

@stw46

@Dannyreams1

@ejdanielauthor

@CCupo

@hugansther

@dvmnbrix

@88plmnb

@series_films00

@kkpapua1

@fatter_me

@Itsbradleee

@PidAkehoshii_

@msgohara

@chicwithdicc

@bokeplokalmalam

@GalleryMystiq

@daunbunkuss

@NNNN770829

@AlymnWadua62091

@vova44311183

@StwDood38499

@The_Pitboard

@Uqe4VGhfRQ10896

@MarioSnche42498

@CuriousCarly_

@ZsCJcFsk3amWIb9

@bokeplokalmalam

@ocoakie

@MuhammadAa83777

@Jhan_Pinter

@3boyR

@Tockychqn

mpgn

@mpgn_x64

2 years

Dumping LSASS is such a 2020 move, let me introduce a new CrackMapExec module called Masky developed by @_ZakSec 🎉 If you have admin privilege, the module will impersonate all users connected -> ask a certificate (ADCS) -> retrieve the NT hash using PKINIT 🚀 Crazy module 🪂

27

507

2K

mpgn

@mpgn_x64

2 years

Dear Blueteam, save yourself from the redteam and enable these settings in your Azure tenant ! 🚀 Otherwise, every "Guest" you invite in your Microsoft Team meetings can list users from other groups etc. If you are not convinced, let me show you how easy it's done 📸

21

363

1K

mpgn

@mpgn_x64

3 years

So now we are in 2021 and everyone is using LAPS (cough cough), it is time for CrackMapExec to level up the game. I've added a new core function "--laps", so if you have compromised an account that can read LAPS pass, you can conquer the world now 🔥 Pushed on @porchetta_ind 🪂

14

403

1K

mpgn

@mpgn_x64

1 year

The redteam when they do social engineering over the phone and the client download and execute the file "invoice.pdf.exe"

10

202

1K

mpgn

@mpgn_x64

4 years

LDAP protocol is added to CrackMapExec, allowing us to quickly find ASREPRoast and Kerberoasting hashes 🔥 I also add two others options to list computers and users with unconstrained delegation and list users with flag "adminCount", big kudos to @ropnop for the Trooper talk 🙏

14

417

1K

mpgn

@mpgn_x64

1 year

Hello everyone, The last release of CME was my final one for CrackMapExec 😊 I have decided to withdraw myself from the development of the tool to focus on my family and personal projects. The official repository and the most up-to-date version of CrackMapExec can be found on

102

184

1K

mpgn

@mpgn_x64

2 years

It's 2023, CrackMapExec can now dump DPAPI credentials as a core feature !🚀 This is possible thanks to the work of @_zblurx and his library dploot ! He also added a module to dump firefox passwords 🔥 Pushed on @porchetta_ind v5.4.5 Bruce Wayne 🪂 No excuse, DA everytime, 🔽

16

313

1K

mpgn

@mpgn_x64

2 years

I just merged one of the most craziest module in CrackMapExec called "hash_spider" from @hackerm00n 🚀 With an initial admin access, it will dump lsass recursively using BloodHound to find local admins path (adminTo) to harvest more users and find new paths until DA 🔥 🪂

26

327

1K

mpgn

@mpgn_x64

3 years

Big news, CrackMapExec now supports RDP protocol 🎉 This is no crappy freeRDP python wrapper behind this but the integration of @SkelSec 's aardwolf lib (available on @porchetta_ind only) 🔥 Pushed on @porchetta_ind for sponsors 🪂

12

311

979

mpgn

@mpgn_x64

3 years

In case you want to see something cool about CrackMapExec and Responder 😌😋 1⃣ cme smb <ip> -u user -p pass --shares 2⃣ Responder -I eth0 3⃣ cme smb <ip> -u user -p pass -M slinky -o ... Harvest ntlmv2/v1 credentials in no time if you have write access to a share 🔥 🪂

16

363

962

mpgn

@mpgn_x64

3 years

Some great news, CrackMapExec v5.1.6 is now available to all on @kalilinux 🎉 Additions: ➡️ CME now supports IPv6 ➡️ new option for your custom AMSI bypass ➡️ new LAPS module ➡️ some logic improvement for testing NULL SESSION

5

262

814

mpgn

@mpgn_x64

2 years

Bloodhound python from @_dirkjan is now integrated to CrackMapExec as a core feature 🔥 ▶️ cme ldap <ip_dc> -u user -p pass --bloodhound Enjoy this one, more juicy features to come soon 💪 Pushed on @porchetta_ind thanks to the sponsors as always 🪂

11

240

837

mpgn

@mpgn_x64

3 years

In case you want to see something cool about CrackMapExec, ntlmrelayx and Responder 😌😋 1⃣ Responder -I eth0 2⃣ -t <ip> -smb2support -socks 3⃣ proxychains crackmapexec smb <ip> -u <user> -p '' -d <domain>

11

283

813

mpgn

@mpgn_x64

2 years

New CrackMapExec module to dump Microsoft Teams cookies thanks to @KuiilSec contribution✌️ You can use them to retrieve informations like users, messages, groups etc or send directly messages in Teams 🔥 Initial discovery by @NoUselessTech 🪂

11

250

804

mpgn

@mpgn_x64

5 years

Update CVE-2019-19781 You can exploit the vulnerability without the file and only use the file ! You can inject your payload inside the name of the XML file and fire the command execution ! 🔥💪 #shitrix #citrix

12

375

763

mpgn

@mpgn_x64

3 years

I've dreamed of this feature long time ago, always in my head during internal pentest, this is now done 💪 CrackMapExec will set user as 'owned' on BloodHound when an account is found ! Very usefull when lsassy finds 20 credentials in one dump 🔥 Available on @porchetta_ind 🪂

9

223

756

mpgn

@mpgn_x64

3 years

Lately, two new tools for dumping the lsass process have come up: HandleKatz and nanodump 👀 I've integrated them to CrackMapExec as module: 1⃣ -M handlekatz 2⃣ -M nanodump 3⃣ -M procdump (as bonus 😝) (dmp parsed by pypykatz from @SkelSec ) Available on @porchetta_ind 🪂

4

276

751

mpgn

@mpgn_x64

3 years

If you compromise a member of the Backup Operators group there is a direct path the become Domain Admin without a RDP/WinRM access to the DC ! Dump and export the SAM remotely on a remote share ! 🔥🎉 Thanks to @filip_dragovic for the initial POC !

5

290

738

mpgn

@mpgn_x64

2 years

Execute commands as another user w/t dumping LSASS or touching the ADCS server ? Thanks to @Defte_ a new module has been added to CrackMapExec 🚀 The module will impersonate any logged on user to exec command as "this" user (system, domain user etc) 🔥

23

232

739

mpgn

@mpgn_x64

3 years

Good news ! CrackMapExec v5.2.2 is now available through @kalilinux 🎉 Lot of juicy features available : ➡️ LAPS support ➡️ BloodHound integration ➡️ no more CTRL-C ➡️ lot of new modules ➡️ LDAP support improvement Update your Kali ⬇️ apt update && apt install crackmapexec

6

224

707

mpgn

@mpgn_x64

2 years

A new protocol has been added to CrackMapExec ! You can now try FTP credentials and quickly find FTP with anonymous logon during internal pentest 🔥 Thanks to @RiiRoman who will receive a CME coin for his contribution ! 🚀

6

182

686

mpgn

@mpgn_x64

4 years

How to defeat Hashcat !? 🛡️ Well, I think I found a workaround😈 Use a password with the following format : ⚔️ '$HEX[xxxx]' ⚔️ (where xxxx are only hex characters) Unless a specific flag is added to hashcat, the attacker will never be able to crack it ! #hashcat 1/5⬇️⬇️⬇️

8

215

647

mpgn

@mpgn_x64

3 years

Finally CrackMapExec can now fetch all domain users when the DC is vulnerable to NULL Session 🎉 Prior to this, CME what useless except for the password policy option 😓 No more enum4linux, rpclient etc, all great tools but I prefere one tool to rule them all 🔥

11

183

629

mpgn

@mpgn_x64

1 year

3, 2, 1 CrackMapExec 6.0.0 is now public ! 🎉 So much new features and fix that I've made a blogpost for it ▶️ Special thanks to @_zblurx @MJHallenbeck & @al3x_n3ff for their indefectible support & contributions ! 🍻

12

203

592

mpgn

@mpgn_x64

3 years

Not 4 but 5 more modules have been pushed into CrackMapExec on @porchetta_ind 🔥 List+credit ⬇️ 1⃣ -M nopac - @exploitph @Evi1cg 2⃣ -M petitpotam - @topotam77 3⃣ -M zerologon - @_dirkjan 4⃣ -M ms17-010 (🔔not tested outside HTB) @ ywolf 5⃣ -M ioxidresolver @AirbusSecLab 🪂

9

206

548

mpgn

@mpgn_x64

3 years

The sponsor version of CrackMapExec has been pushed into the public repo of CME 💪 All the juicy features are now public after a big latency of 8 months. I will update the doc to match the new features 🔥 Thanks again for all the support 👏

4

179

534

mpgn

@mpgn_x64

1 year

Done, CrackMapExec is now able to decrypt LAPS password thanks to the awesome work of @_zblurx and @BoreanJordan 🎉 If you have a credential that can read laps password, just run a /24 with the option of your choice (lsassy, lsa, dpapi...) and quickly become DA (probably) 👑 🪂

10

184

553

mpgn

@mpgn_x64

2 years

Dumping SAM from a live Kali Linux in 2022 🔽 1⃣ cd Windows/System32/config 2⃣ pypykatz registry --sam SAM SYSTEM Tools like chntpw, bkhive, pwdump, samdump2 are not working on latest Windows 10 👀

7

145

526

mpgn

@mpgn_x64

1 year

New release of crackmapexec is out ! 6.1.0🥳 This version now support of a new protocol : WMI by @Memory_before ! If the SMB port is filtered, you can still pwn3d everything !! 🔥 Quick list of improvements 🔽 - CME now works against Windows 2003 and Windows 7 (it was broken)

9

202

528

mpgn

@mpgn_x64

2 years

A much needed module during internal pentest will be added to CrackMapExec tonight 🌛 Why scan a /16 when you can get all ip/dns records of the domain using get-network module ? 🔥 Thanks to @_dirkjan (this module is adidnsdump as module) and @snovvcrash for the cidr trick !

7

124

504

mpgn

@mpgn_x64

4 years

Struggling with golden ticket and access denied ? 😡 Use 'klist add_bind' command after injecting your ticket with mimikatz or rubeus : 1⃣ cmd (elevated) 2⃣ mimikatz kerberos::golden 3⃣ klist add_bind <DOMAIN> <DC> 4⃣ psexec \\dc\ cmd Before and after klist add_bind command ⚔️

5

186

476

mpgn

@mpgn_x64

2 years

CrackMapExec version 5.4.0 "Indestructible G0thm0g" is out for everyone and also available in @kalilinux 🎉 ➡️ apt update ➡️ apt install crackmapexec Happy Hacking ! 🔥🪂 Release blog post 🔽

8

160

474

mpgn

@mpgn_x64

4 years

CrackMapExec v5.1.0 is released today ! Lots of small changes + some kerberos attacks have been added 🎉 I created a clean GitBook for CME, I hope you will appreciate it, I spent time on it 🐰 As always, thank you all for the support on twitter 💕

5

186

465

mpgn

@mpgn_x64

4 years

Running your own custom AMSI bypass on CrackMapExec is always better when using powershell 😌😋 Pushed to master branch for sponsorware and will be on the menu for the next release into kali✌️

4

112

443

mpgn

@mpgn_x64

2 years

We worked together with @_zblurx to pull this new feature on CME ! CrackMapExec can now authenticate using kerberos with login/pass/nthash/aeskey without the need of a KRB5CCNAME ticket env 🚀 But wait there is more! by adding this feature we can now mimic kerbrute features 🔥🫡

7

135

442

mpgn

@mpgn_x64

2 years

CrackMapExec can now retrieve gMSA passwords using LDAP protocol and option --gmsa 🔥 Thanks to @pentest_swissky for this addition into CME 🫡 Also, I probably don't say it enough but thanks to all the sponsors from @porchetta_ind 🪂

7

111

442

mpgn

@mpgn_x64

1 year

Monday, June 26 in the evening, a new version of CrackMapExec will be published to everyone on 🚀 After nearly 12 months without update on the public repository, it is time ! 🍻 Blog post coming also ! 🦇 Thanks to all the sponsors on @porchetta_ind 🪂

4

154

444

mpgn

@mpgn_x64

2 years

Next week on CrackMapExec, a new option will be available 📸

9

69

423

mpgn

@mpgn_x64

4 years

Crackmapexec v5.0.2dev is now on master 🎉 There is so many changes that I cannot list them all in one tweet so I put a screenshot 👻 Thank you all for the support when @byt3bl33d3r added me as collaborator on CME 👏

8

172

428

mpgn

@mpgn_x64

2 years

It becomes more and more simpler to get an account on the domain without any prerequisite ! thanks to @BlWasp_ 💪 Add a computer using SMB protocol: 1⃣ Responder -I eth0 -rPvd 2⃣ ntlmrelayx --smb-add-computer FAKE -t <FQDN> 3⃣ crackmapexec -u fake$ -p ... 🔥🚀

BlackWasp

@BlWasp_

2 years

My first PR on #Impacket . It is now possible to add a computer account via SMB from a NTLM Relay with ntlmrelayx. Not easier than LDAPS to deal with the signature, but useful when no SSL certificate is in place on LDAPS #Windows #SMB #relay

10

61

199

10

186

558

mpgn

@mpgn_x64

3 years

"All our admin are in the Protected Users group, we must be secure !" The actual security 🔽 1⃣ Dump kerberos tickets with lsassy (thanks to @remiescourrou ) 2⃣ Convert & Import 🔄 3⃣ CrackMapExec <fqdn> -u user -p '' -k 4⃣ You have 4-hour to compromise the domain 🔥😋 🪂

4

116

430

mpgn

@mpgn_x64

3 years

Could not resist to make a CrackMapExec module to detect if the spooler service is enabled or not remotly😌 If enabled, go for the @cube0x0 exploit or Mimikatz from @gentilkiwi to gain SYSTEM on workstation/servers up to date 🔥 #printnightmare

8

160

418

mpgn

@mpgn_x64

2 years

Me after writing ONE vulnerablity out of 10 for the pentest report

11

51

407

mpgn

@mpgn_x64

4 years

A new very cool module has been pushed for sponsorware on the CME repo ! This module retrieves the LAPS password of each computers on the domain 🤖 Thanks to @vendetce / @n00py1 for the initial module/code. I refactor a bit the code to make it usuable with the LDAP proto ! 💪

5

134

390

mpgn

@mpgn_x64

4 years

CrackMapExec on Windows without compiling the whole project !? 👀 It's now possible and you can get the latest binary under the Github Action tab (linux / mac / windows) 💪 Kudos to @mcohmi for the example from the Stormspotter project 👏

6

160

396

mpgn

@mpgn_x64

3 years

3

74

385

mpgn

@mpgn_x64

3 years

Just added a mode "audit" to CrackMapExec where the password (or nthash) will be replaced by the char of your choice or why not your favorite emoji 😆🚀 this is the end of the "I NEED TO BLUR THIS SCREENSHOT" area in your pentest report 💪 Pushed on @porchetta_ind 🪂

9

77

389

mpgn

@mpgn_x64

3 years

Major update on CrackMapExec 🔥 Updates from the private repository on @porchetta_ind have been pushed into the public one ! There is a lot new features and bug fix in this v5.2.2 💪🚀 ⬇️ Blogpost ⬇️ 🪂

GitHub - byt3bl33d3r/CrackMapExec: A swiss army knife for pentesting networks

A swiss army knife for pentesting networks. Contribute to byt3bl33d3r/CrackMapExec development by creating an account on GitHub.

github.com

7

151

381

mpgn

@mpgn_x64

3 years

No drama tweet for me, just here to tell you that you can enjoy wmi and smb exec methods on CrackMapExec without the need of the smb server (no more sudo, port 445 error etc) 😇 Hope you enjoy, i've already push the code on @porchetta_ind 🪂 Peace ✌️

2

85

374

mpgn

@mpgn_x64

3 years

Connecting to RDP using Restricted Admin option seems to do the trick to evade this attack ✌️🎉 mstsc /RestrictedAdmin /v:<ip>

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Now in #mimikatz 🥝, #mstsc credentials (passwords / PIN codes) for RDP / Remote Desktop Client - ts::mstsc - on client credentials - ts::logonpasswords - on server credentials Does not rely on previously injected hook/library, useful on jumping servers >

22

473

1K

8

101

362

mpgn

@mpgn_x64

2 years

New update on CrackMapExec 🔽 ➡️ Upload/download with MSSQL -guervild ➡️ Exploit KeePass (discover, trigger) @d3lb3_ 🔥 ➡️ ACL read with LDAP @BlWasp_ ➡️ Check ntlmv1 (postex) @Tw1sm ➡️ Check alwayselevated (postex) -bogey3 ➡️ Improved export on cmedb @gray_sec 🪂

11

122

363

mpgn

@mpgn_x64

2 years

teaser for next week release 🪂

an0n

@an0n_r0

2 years

detecting EDR services remotely without admin privs. indicators: - installed services: [MS-LSAT] LsarLookupNames() - running processes: named pipes (there are some characteristic to EDRs) needs some more testing and cleanup before release, but looks like promising.

22

231

824

9

76

372

mpgn

@mpgn_x64

4 years

New version 5.1.4 of CrackMapExec is available on @kalilinux and for sponsorware of CME 🎉 Few improvements: - thanks to @byt3bl33d3r CME now uses asyncio over gevent 💪 - some issues have been fixed (spider, pass-pol, MSSQL thx to @D1iv3 🙏) - CME now use Impacket v0.9.22 🚀

3

96

346

mpgn

@mpgn_x64

2 years

Cool stuff is coming on CrackMapExec, your next internal pentest will be to easy trust me 🫡🔥

13

29

360

mpgn

@mpgn_x64

2 years

You can now dump only enabled users/computers or a specific user/computer when running ntds option on CrackMapExec 🚀 Because yeah, sometime dumping can take a very very long time while you only want the krbtgt hash to forge golden ticket 😅

4

80

355

mpgn

@mpgn_x64

2 years

As promised, the RDP screenshot feature is pushed on CrackMapExec for sponsors on @porchetta_ind 📸 This feature wouldn't be possible without the awesome work of @SkelSec on aardwolf 🚀

6

83

338

mpgn

@mpgn_x64

1 year

A new module just landed on CrackMapExec called WCC by @__fpr 🚀 This module checks various configuration items on Windows machines, such as LSA cache, hash storage format, etc 🤿 You can also export the results for your pentest report ✍ Available on

6

88

343

mpgn

@mpgn_x64

4 years

Look ma, a standalone Windows executable for CrackMapExec ✨🐙

14

66

310

mpgn

@mpgn_x64

3 years

Very effective indeed to find valid azure accounts and spray without generating sign-in events 👀 ▶️ red: user doesn't exist ▶️ magenta: user exist ✅ green: user exist and password valid (no mfa required) Implemented on CrackMapExec (not push yet) ✌️

Dr. Nestori Syynimaa

@DrAzureAD

3 years

The original @Secureworks 's threat analysis report out now 🔥 I'm happy to answer to any questions regarding the technical details. Shout-out to @SantasaloJoosua for finding the usernamemixed endpoint back in 2019!

9

35

81

5

78

299

mpgn

@mpgn_x64

2 years

CrackMapExec version 5.3.0 "OPERATION C01NS 🪙" is now public 🎉🎉🎉 Lot's of new features and fixed issues. All private features from the @porchetta_ind repo have been integrated to the public repository (rdp, audit mode, laps winrm etc)🚀

Release 5.3.0 - Operation C01NS · byt3bl33d3r/CrackMapExec

More on https://mpgn.gitbook.io/crackmapexec/ What's Changed Add RDP protocol thanks to @skelsec Set computer accounts as owned in BloodHound by @snovvcrash in #532 fix filename for IPv6 on wi...

github.com

2

97

299

mpgn

@mpgn_x64

3 years

New modules for CrackMapExec thanks to @HackAndDo and @qtc_de ✌️💪 1⃣ Quickly get the fqdn of the ADCS server in order to perform ESC8 attack 2⃣ Lsassy module updated to use version 3.0 ! 3⃣ Yet yet another module to find sensitives info from user descriptions 👀 🪂

2

104

286

mpgn

@mpgn_x64

3 years

New update on the WinRM protocol, CrackMapExec can now get the sam & lsa secrets ! 🔥 Upcoming updates will focus on publishing awesome features thanks to @SkelSec ! Stay tuned 💪🚀 Code available on @porchetta_ind 🪂

5

90

271

mpgn

@mpgn_x64

2 years

If you found an account starting with _SC_GMSA after dumping LSA, CrackMapExec now convert directly the blob to NT hash ! 🔥 I also add two new core features to directly convert the ID of the gMSA to his real name or convert directly the all blob 🚀 Pushed on @porchetta_ind 🪂

7

71

269

mpgn

@mpgn_x64

2 years

Full scenario with CrackMapExec 🚀 1⃣ get all IP from your domain (using DA) 2⃣ scan all shares with the account of your choice 3⃣ export the results 4⃣ analyse the results 5⃣ call the CISO immediately 😂

mpgn

@mpgn_x64

2 years

CrackMapExec can now export share results in case you are scanning a /24 or /16 🔥 Thanks to @gray_sec for the PR 🚀

3

59

214

4

64

259

mpgn

@mpgn_x64

4 years

Next addition for Crackmapexec, Kerberos support 🛠️ There is still work to do to support aesKey and DC options but it's on dev branch. This will be the last addition before merging to master 👻

5

67

245

mpgn

@mpgn_x64

1 year

I've just tested a new feature developed by @MJHallenbeck and I must say that even myself I was not ready for this ... 🫣 You will soon be able to chain multiple modules on CrackMapExec and gain so much time 🔥💪 Coming in a few days for sponsors on @porchetta_ind 🪂

3

65

249

mpgn

@mpgn_x64

4 years

So you finally found a domain account and you want to know if you can use this account to exec command via WinRM ? Well, I update the winrm code of Crackmapexec allowing you to check if the account can WinRM ! 🔥 It's on the dev branch, will be merged soon 😊

5

65

230

mpgn

@mpgn_x64

4 years

Spider_plus is a new cme module to dump recursively files from remote SMB servers. By default the module creates a JSON file with the shares structure to avoid excessive dumping. When you think you found a juicy share, just dump everything and grep 🔥 Thx to Vincd from Github 👏

4

82

229

mpgn

@mpgn_x64

2 years

If you want to check if NLA is enabled or not when scanning RDP hosts, I've just integrated a new flag on CrackMapExec output ✌️ 🪂

5

47

222

mpgn

@mpgn_x64

4 years

Crackmapexec on Windows (╯°□°）╯︵ ┻━┻ Let's the fun begin when locked inside a VDI 🔥⚔️

3

61

214

mpgn

@mpgn_x64

2 years

Last update on the Active Directory Security Assessment Checklist from @ANSSI_FR 🫡🇫🇷🔥

3

72

218

mpgn

@mpgn_x64

4 years

Thanks to @byt3bl33d3r CME is now dockerize, it's simple and easier 👏🔥 docker run -it --entrypoint=/bin/sh --name crackmapexec byt3bl33d3r/crackmapexec

5

83

213

mpgn

@mpgn_x64

1 year

It's sunday ☀️ ! Best day to announce a new module just landed on CrackMapExec, allowing you to retrieve cleartext passwords on IIS Application Pool by @Shad0wCntr0ller ! 🚀 Just git pull the master branch 🔄 Now what if the application run as gMSA ? 🔽🔽🔽

3

59

218

mpgn

@mpgn_x64

2 years

CrackMapExec can now export share results in case you are scanning a /24 or /16 🔥 Thanks to @gray_sec for the PR 🚀

Andy Robbins

@_wald0

2 years

If you are a defender and you're looking for answers for how to prevent this from happening to you: I *strongly urge* you to use @byt3bl33d3r 's CrackMapExec to enumerate and audit the contents of shares that your "normal" users have access to:

4

53

213

3

59

214

mpgn

@mpgn_x64

3 years

Ain't sexy as the spooler cve but in the next release of CrackMapExec, using the LDAP protocol you will be able to know if an account is in a privileged group or not 🔥 The error status has been also improved when an auth fails 🧙‍♂️ Next release on @porchetta_ind stay tuned 🪂

4

54

210

mpgn

@mpgn_x64

11 months

11

34

214

mpgn

@mpgn_x64

1 year

I've updated CrackMapExec to make it compatible with the new Windows LAPS feature. It is working against legacy LAPS & Windows LAPS, but doen't support password decryption... yet ⏳ Pushed on @porchetta_ind

1

66

210

mpgn

@mpgn_x64

1 year

CrackMapExec can now extract trust relationships between domains thanks to @Shad0wCntr0ller 🏗️ cme ldap <ip> -u <user> -p <pass> -M enum_trusts One more addition and we are very close to a new release ! For now, it's available on master branch 🔽 🪂

2

52

209

mpgn

@mpgn_x64

1 year

Did you know you can combine multiple options on the version 6.0 of CrackMapExec ? Dump lsa, dpapi, sam in one run instead of 3 !⏱️ 🪂

9

55

200

mpgn

@mpgn_x64

4 years

A Windows box I recommend to everyone ⚔️🛡️ Great usage of : ✅ Impacket ✅ Crackmapexec ✅ Powerview ✅ Bloodhound ✅ Hashcat You can also exploit this box without Evil-WinRM only with Rubeus, Powerview, Bloodhound, Hashcat and Mimikatz 😁 Thanks to @mrb3n813 and @egre55 👏

ippsec

@ippsec

4 years

HackTheBox Forest has been retired. A great box to learn some common misconfigurations in Active Directory (via Bloodhound). I even go down some rabbit holes and make password spraying lists using a few words and hashcat rules.

10

91

450

1

41

171

mpgn

@mpgn_x64

3 years

Note: having your domain admin in the Protected User group doesn't seem to protect him from this attack👀🧙‍♂️

🥝🏳️‍🌈 Benjamin Delpy

@gentilkiwi

3 years

Now in #mimikatz 🥝, #mstsc credentials (passwords / PIN codes) for RDP / Remote Desktop Client - ts::mstsc - on client credentials - ts::logonpasswords - on server credentials Does not rely on previously injected hook/library, useful on jumping servers >

22

473

1K

3

58

182

mpgn

@mpgn_x64

5 years

CVE-2019-19781 start with a path traversal on the "vpns" folder: GET /vpn/../vpns/services.html GET /vpn/../vpns/cfg/smb.conf Patched if => HTTP/1.1 403 Forbidden

4

74

177

mpgn

@mpgn_x64

1 year

Version 5.4.6 of CrackMapExec is out for sponsors on @porchetta_ind & there is some breaking changes⚠️ @MJHallenbeck decided to rewrite cmedb to use SQLAlchemy, he pretty much fix all the issues🚀 @_zblurx decided to push his module ntdsutil to avoid crashing the DC on 2019 🧙‍♂️

1

62

181

mpgn

@mpgn_x64

4 years

how it started how it's going

5

29

170

mpgn

@mpgn_x64

3 years

Inspired from @HackAndDo 's module bh_owned, I have just integrated bloodhound to CME ! CrackMapExec with bloodhound = 🔥 Every time you find a credential, it will be set as owned on bh ! Happy with the result honestly :) Need more testing and sleep before release 😁

3

50

180

mpgn

@mpgn_x64

5 years

Remember IKEEXT privesc on Windows 7 !? Similar technique found by @zeifan and explained by @itm4n to #privesc from a LOCAL SERVICE to SYSTEM on Window 10 using the CDPSvc service ! ☠️ WON'T FIX ☠️ 🇬🇧 🇬🇧 🔥

1

71

170

mpgn

@mpgn_x64

1 year

We worked together with @_zblurx to pull a new feature on CrackMapExec to log everything 🔥 You have two options, log everything using the config file or/and use the --log option to log to a custom file. Both can be used at the same time 💪 Pushed on @porchetta_ind 🪂

4

38

181

mpgn

@mpgn_x64

2 years

It's CrackMapExec time 🔥 I will review PR on the public repo, merge all features from the private repo to the public one, publish some azure stuff into the private one and finally push to Kali the new public version 🚀 Also a really cool swag is coming soon 👀🪙

3

22

179

mpgn

@mpgn_x64

2 years

Decided to check on this writeup from @0xdf_ when I read this sentence: "I wasn’t able to get crackmapexec to work either." With the latest update on CrackMapExec let's go for a 'Scrambled vs Crackmapexec' ! Getting root only using CME in 5 minutes 🚀✌️

0xdf

@0xdf_

2 years

Scrambled from @hackthebox_eu disabled NTLM auth, breaking how I typically interact with a Windows host. .NET RE, Silver Tickets, Kerberoasting. I'll show attacking from both Windows and Linux. And JuicyPotatoNG in Beyond Root.

4

31

164

5

40

168

mpgn

@mpgn_x64

3 years

Version 5.2.0 of CrackMapExec has been pushed on @porchetta_ind 🪂 Multiples issues fixed and new features for protocols SMB and LDAP ! 💪 More features to come soon ✌️

2

48

164

mpgn

@mpgn_x64

4 years

So you are on an internal pentest with multiple MSSQL servers and you want to check if the account you pwn can connect to mssql and even better exec code ? Well well well, crackmapexec !😊 Works with windows and normal account ⬇️⬇️⬇️

2

56

166

mpgn

@mpgn_x64

5 years

Remotely extract a memory dump of lsass using Pypykatz and Impacket in less than a second 🔥🔥🔥 Will be integrated to #CrackMapExec as a module when the switch to python3 will be done 💪 Thx to @SkelSec and @HackAndDo !

Pixis

@HackAndDo

5 years

Pour le week-end, voici un nouvel article présentant une technique pour lire le contenu d'un dump de lsass **à distance**, évitant ainsi la détection des AV ( #mimikatz ) et le téléchargement de dumps volumineux (80-150Mo). Bon week-end ! 🙃

6

88

168

1

51

156

mpgn

@mpgn_x64

3 years

I've just merged three modules into the public and sponsor repo of CrackMapExec 🪂🎉 Thanks to @_nwodtuhs @podalirius_ @pentest_soka @nodauf 💕 Follow the thread to get a description of each module and the update info for the next release on Kali ⬇️⬇️⬇️

3

53

160

mpgn

@mpgn_x64

5 years

Quickly identify users / groups / password policy of the domain with prettyloot after dumping domain info using ntlmrelayx ! The script reads all files from the loot directory and prints information like a classic enum4linux output 😊

Dmitrijs Trizna

@ditrizna

6 years

Why not only SMB, but LDAP signing is important as well. Dump LDAP contents without any AD creds, but with one in same broadcast domain (reponder SMB/HTTP off): sess1> responder -I <eth> sess2> ntlmrelayx -wh test -wa 1 -t ldap://<ad> --no-da --no-acl -l /tmp/loot

0

30

77

1

54

151

mpgn

@mpgn_x64

2 years

Very very special and limited CrackMapExec swag just arrived at home 🎉 The quality is excellent, very happy with the end result 🚀🔥 Kudos to @ReeverZax and @DoomerOutrun at BZHunt for sponsoring this idea🇫🇷🥰 🪂

12

17

152

mpgn

@mpgn_x64

3 years

If you suffer from PTSD because of cme never finishing, you will be relief soon, timeout will save us all 🙏 End of the CTRL-Z era my friend 🎉 Pushed on @porchetta_ind 🪂

5

21

154

mpgn

@mpgn_x64

4 years

A new version of CrackMapExec v5.1.5 is available on @kalilinux Don't forget to update before your next internal pentest🦾 I've added more options to the ldap protocol and fix some issues open on the public repo ✌️

2

29

144

mpgn

@mpgn_x64

2 years

In addition to a bug fix, i've also pushed an update on the RDP protocol so you can authenticate a user using kerberos 🔥 Thanks to @SkelSec for this amazing aardwolf lib 🫡 Pushed on @porchetta_ind 🪂

1

27

154

mpgn

@mpgn_x64

2 years

let's tease a little bit

7

8

152

mpgn

@mpgn_x64

1 year

I'm to late to the party ? 🎉

8

21

148